In the previous article, The Rise of the Backdoored WordPress Plugins, I discussed the ever-growing threat to WordPress security in the form of compromised plugins. As promised, here are the changes made by attackers to the popular plugins, WPtouch, W3 Total Cache and AddThis.

WPtouch

This backdoor is using some advanced PHP tricks. It’s masked as an if statement. It uses a regex to extract two values from a particular COOKIE value and it uses one of these values as a function and the other one as a parameter to that function. Very smart.

W3 Total Cache

This backdoor is taking advantage of the assert PHP function. Usually, this function is used for debugging to evaluate is a statement is true or not and act accordingly. It’s a little known fact that assert can be used to execute PHP code. This trick is used by the attacker to execute code from the X_FORWARD_FOR header value. Notice that this is not the usual X_FORWARDED_FOR header used when dealing with proxies. Clever.

AddThis

Again, the assert trick was used to gain PHP code execution. This code was placed at the end of a very long array initialization and it was pretty hard to spot if you didn’t have word-wrapping enabled.

Yet Another Attack

Another plugin was also backdoored lately. The plugin is named WP-phpmyadmin and unfortunately nobody is maintaining this plugin anymore. Therefore the guys from WordPress removed this plugin from their plugin directory. If you are running that plugin, you should delete it immediately.

This time the injected code was not particularly clever, just a basic eval on user input. You can find the code below.

In conclusion, we can see that attackers are getting more and more sophisticated while their backdoors are becoming increasingly more stealthy and adept. There have been more security intrusions this year than the past 3 years combined!

Stay secure!

Share this post

2 thoughts on “Recently Backdoored WordPress Plugins”

Thank you for your information.
Anyway, perhaps you can also explain what the attacker can do with that code?
Your article only explain what the attacked do to the code, but not explaining what is the purpose of the code or effect to the website.
Thank you.

In simple terms, if a hacker manages to inject code in plugins which you download, he would have access to execute other PHP code he wants on your blog, which means he can alter your content or upload and distribute illegal content from your website. This is just to mention a few things a malicious user can do…